Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsWells Fargo Bank N A › 18602830
Last updated: April 19, 2026
Application No. 18/602,830

MANAGEMENT OF SOFTWARE DEPENDENCIES

Non-Final OA §101§102§103§112
Filed
Mar 12, 2024
Examiner
KAMRUZZAMAN, MD
Art Unit
2191
Tech Center
2100 — Computer Architecture & Software
Assignee
Wells Fargo Bank N A
OA Round
1 (Non-Final)
Grant Probability
Favorable
1-2
OA Rounds
3y 3m
To Grant

Examiner Intelligence

KAMRUZZAMAN, MD View full profile →
Grants only 0% of cases
0%
Career Allow Rate
0 granted / 0 resolved
-55.0% vs TC avg
Minimal +0% lift
Without
With
+0.0%
Interview Lift
resolved cases with interview
Typical timeline
3y 3m
Avg Prosecution
1 currently pending
Career history
1
Total Applications
across all art units

Statute-Specific Performance

§101
16.7%
-23.3% vs TC avg
§103
50.0%
+10.0% vs TC avg
§102
16.7%
-23.3% vs TC avg
§112
16.7%
-23.3% vs TC avg
Black line = Tech Center average estimate • Based on career data from 0 resolved cases

Office Action

§101 §102 §103 §112
DETAILED ACTION This is the initial office action based on the application submitted on March 12, 2024. Claims 1-20 are pending. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Drawings The drawings are objected to as failing to comply with 37 CFR 1.84(p)(1) because reference character 306 is identified in the detailed description as an “input/output controller”, while the drawings identify reference character 306 as “Input / Output Unit”. The specification and drawings must use consistent terminology for the same reference character. Appropriate correction is required. The drawings are objected to as failing to comply with 37 CFR 1.84(p)(1) because reference character 324 is identified in the detailed description as an “software instructions and applications”, while the drawings identify reference character 324 as “Software Applications”. The specification and drawings must use consistent terminology for the same reference character. Appropriate correction is required. Corrected drawing sheets in compliance with 37 CFR 1.121(d), or amendment to the specification to use consistent terminology in the description and figure in compliance with 37 CFR 1.121(b) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claim 6 and 16 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention. Claim 6 recites the limitation "all vulnerabilities" in line 2. There is insufficient antecedent basis for this limitation in the claim. Claim 6 depends on Claim 5 which depends on Claim 1 which only mentions the limitations “a vulnerability” and “the vulnerability”. For the purposes of examination, “all vulnerabilities” in the limitation “create a risk score associated with all vulnerabilities for the computer program;” is interpreted under the broadest reasonable interpretation to require generating a risk score for each vulnerability identified for the computer program, such that the complete set of identified vulnerabilities is scored. Claim 16 is a method claim corresponding to the computer system claim hereinabove (Claim 6). Therefore, claim 16 is rejected for the same reasons set forth in the rejection of claim 6. Claim Rejections - 35 USC § 101 35 U.S.C. 101 reads as follows: Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title. Claims 1-20 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more. Claim Interpretation: Under the broadest reasonable interpretation (BRI), the limitations of Claim 1 are presumed to have their plain meaning consistent with the specification as it would be interpreted by one of ordinary skill in the art. See MPEP § 2111. Step 1: Claim 1 is directed to a computer system, which is a machine, and falls within one of the statutory categories of invention. Step 2A, Prong One: Claim 1 recites the limitations: identify a vulnerability associated with a dependency for a computer program as the computer program is being developed; determine a severity of the vulnerability; and manage the dependency based upon the severity of the vulnerability. These recited steps, under the broadest reasonable interpretation (BRI), cover performance of the steps in the human mind alone or with the aid of pen and paper. That is, other than reciting: (1) one or more processors; and (2) non-transitory computer-readable storage media encoding instructions which, when executed by the one or more processors, causes the computer system to: Nothing in the claim precludes the steps from practically being performed in the human mind alone using observation, evaluation, judgment, and opinion or with the aid of pen and paper. For example, the limitation (a) in the context of the claim encompasses a human observing a dependency for a computer program as the computer program is being developed in the human mind alone using observation, evaluation, judgment, and opinion or with the aid of pen and paper to identify a vulnerability associated with the dependency. The limitation (b) in the context of the claim encompasses a human evaluating a vulnerability in the human mind alone using observation, evaluation, judgment, and opinion or with the aid of pen and paper to determine the severity of the vulnerability. And the limitation (c) in the context of the claim encompasses a human judging the severity of a vulnerability in the human mind alone using observation, evaluation, judgment, and opinion or with the aid of pen and paper to manage the dependency based on the severity of the vulnerability. See MPEP § 2106.04(a)(2)(III). If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the human mind alone or with the aid of pen and paper but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea. Step 2A, Prong Two: This judicial exception is not integrated into a practical application. In particular, the claim recites the additional elements: (1) one or more processors; and (2) non-transitory computer-readable storage media encoding instructions which, when executed by the one or more processors, causes the computer system to: The additional elements (1) and (2) are recited at a high-level of generality such that they amount to no more than mere instructions to apply the judicial exception using generic computer components. The one or more processors and non-transitory computer-readable storage media are used as a tool to perform the identifying, determining, and managing steps of the claim. See MPEP § 2106.05(f). Accordingly, even when viewed in combination, the additional elements do not integrate the abstract idea into a practical application because they do not impose any meaningful limits on practicing the abstract idea. The claim is directed to an abstract idea. Step 2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception because the additional elements when considered both individually and as a combination do not amount to significantly more than the abstract idea. As discussed above with respect to integration of the abstract idea into a practical application, the claim recites the additional elements: (1) one or more processors; and (2) non-transitory computer-readable storage media encoding instructions which, when executed by the one or more processors, causes the computer system to: The additional elements (1) and (2) amount to no more than mere instructions to apply the judicial exception using generic computer components. The analysis under Step 2A, Prong Two is carried through to Step 2B. The use of a computer or other machinery in its ordinary capacity does not integrate a judicial exception into a practical application or provide significantly more. Thus, taken alone, the additional elements do not amount to significantly more than the above-identified judicial exception (the abstract idea). Looking at the additional elements as a combination adds nothing that is not already present when looking at the additional elements taken individually. Even when considered in combination, the additional elements represent mere instructions to apply a judicial exception using generic computer components and therefore do not provide an inventive concept. The claim is not patent eligible. Claims 2-10 are dependent on Claim 1, but do not add any feature or subject matter that would solve the judicial exception deficiencies of Claim 1. Claims 2-10 rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more for at least the reasons stated above. Claim 2 recites the limitation: (a) block the dependency or block release of the computer program based upon the severity. •──────────────•──────────────• Claim 3 recites the limitation: (a) generate an alert based upon the severity of the vulnerability. •──────────────•──────────────• Claim 4 recites the limitation: (a) block downloading of the dependency; (b) block code including the dependency during versioning; and (c) block release of the computer program including the dependency. •──────────────•──────────────• Claim 5 recites the limitation: (a) wherein the dependency is managed using rules. •──────────────•──────────────• Claim 6 recites the limitation: (a) wherein the dependency is managed by: create a risk score associated with all vulnerabilities for the computer program; (b) and use the rules to hold the computer program based upon the risk score. •──────────────•──────────────• Claim 7 recites the limitation: (a) wherein the rules are based upon the severity of the vulnerability and a context of the dependency. •──────────────•──────────────• Claim 8 recites the limitation: (a) wherein the rules are stored in a central database. •──────────────•──────────────• Claim 9 recites the limitation: (a) generate a compliance report based upon vulnerabilities identified for the computer system. •──────────────•──────────────• Claim 10 recites the limitation: (a) identify trends associated with the vulnerabilities identified for the computer system. •──────────────•──────────────• Claims 3, 5, 6, 7, 9, 10 recite further mental steps which can be practically performed in the human mind alone using observation, evaluation, judgment, and opinion or with the aid of pen and paper and thus, fail to make the claim any less abstract (see MPEP § 2106.04(a)(2)(III)). Claims 2, 4, 8 recite further additional elements that do not integrate the judicial exception into a practical application of the judicial exception because they do not require any particular application of the judicial exception and are, at best, the equivalent of merely adding the words “apply it” (or an equivalent) to the judicial exception (see MPEP § 2106.05(f)) and thus, are not significantly more than the abstract idea. Thus, claims 2-10 do not add any steps or additional elements, when considered both individually and as a combination, that would convert Claim 1 into patent-eligible subject matter. Therefore, claims 1-10 are not drawn to patent-eligible subject matter as they are directed to an abstract idea without significantly more. •──────────────•──────────────• Claim Interpretation: Under the broadest reasonable interpretation (BRI), the limitations of Claim 11 are presumed to have their plain meaning consistent with the specification as it would be interpreted by one of ordinary skill in the art. See MPEP § 2111. Step 1: Claim 11 is directed to a method, which is a process (a series of steps or acts), and falls within one of the statutory categories of invention. Step 2A, Prong One: Claim 11 recites the limitations: identify a vulnerability associated with a dependency for a computer program as the computer program is being developed; determine a severity of the vulnerability; and manage the dependency based upon the severity of the vulnerability. These recited steps, under the broadest reasonable interpretation (BRI), cover performance of the steps in the human mind alone or with the aid of pen and paper. Nothing in the claim precludes the steps from practically being performed in the human mind alone using observation, evaluation, judgment, and opinion or with the aid of pen and paper. For example, the limitation (a) in the context of the claim encompasses a human observing a dependency for a computer program as the computer program is being developed in the human mind alone using observation, evaluation, judgment, and opinion or with the aid of pen and paper to identify a vulnerability associated with the dependency. The limitation (b) in the context of the claim encompasses a human evaluating a vulnerability in the human mind alone using observation, evaluation, judgment, and opinion or with the aid of pen and paper to determine the severity of the vulnerability. And the limitation (c) in the context of the claim encompasses a human judging the severity of a vulnerability in the human mind alone using observation, evaluation, judgment, and opinion or with the aid of pen and paper to manage the dependency based on the severity of the vulnerability. See MPEP § 2106.04(a)(2)(III). If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the human mind alone or with the aid of pen and paper but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. Accordingly, the claim recites an abstract idea. Step 2A, Prong Two: This judicial exception is not integrated into a practical application. The claim does not recite additional elements. The claim is directed to an abstract idea. Step 2B: The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. The claim is not patent eligible. Claims 12-20 are dependent on Claim 11, but do not add any feature or subject matter that would solve the judicial exception deficiencies of Claim 11. Claims 12-20 rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more for at least the reasons stated above. Claim 12 recites the limitation: (a) block the dependency or block release of the computer program based upon the severity. •──────────────•──────────────• Claim 13 recites the limitation: (a) generate an alert based upon the severity of the vulnerability. •──────────────•──────────────• Claim 14 recites the limitation: (a) block downloading of the dependency; (b) block code including the dependency during versioning; and (c) block release of the computer program including the dependency. •──────────────•──────────────• Claim 15 recites the limitation: (a) wherein the dependency is managed using rules. •──────────────•──────────────• Claim 16 recites the limitation: (a) wherein the dependency is managed by: create a risk score associated with all vulnerabilities for the computer program; (b) and use the rules to hold the computer program based upon the risk score. •──────────────•──────────────• Claim 17 recites the limitation: (a) wherein the rules are based upon the severity of the vulnerability and a context of the dependency. •──────────────•──────────────• Claim 18 recites the limitation: (a) wherein the rules are stored in a central database. •──────────────•──────────────• Claim 19 recites the limitation: (a) generate a compliance report based upon vulnerabilities identified for the computer system. •──────────────•──────────────• Claim 20 recites the limitation: (a) identify trends associated with the vulnerabilities identified for the computer system. •──────────────•──────────────• Claims 13, 15, 16, 17, 19, 20 recite further mental steps which can be practically performed in the human mind alone using observation, evaluation, judgment, and opinion or with the aid of pen and paper and thus, fail to make the claim any less abstract (see MPEP § 2106.04(a)(2)(III)). Claims 12, 14, 18 recite further additional elements that do not integrate the judicial exception into a practical application of the judicial exception because they do not require any particular application of the judicial exception and are, at best, the equivalent of merely adding the words “apply it” (or an equivalent) to the judicial exception (see MPEP § 2106.05(f)) and thus, are not significantly more than the abstract idea. Thus, claims 12-20 do not add any steps or additional elements, when considered both individually and as a combination, that would convert claim 11 into patent-eligible subject matter. Therefore, claims 11-20 are not drawn to patent-eligible subject matter as they are directed to an abstract idea without significantly more. •──────────────•──────────────• Claim Rejections - 35 USC § 102 The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action: A person shall be entitled to a patent unless – (a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention. Claims 1, 3, 9 and 11, 13, 19 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Velur (U.S. Patent No. 11,481,498 B2). Regarding claim 1, Velur teaches: a computer system for managing software dependencies, comprising: one or more processors; and non-transitory computer-readable storage media encoding instructions which, when executed by the one or more processors, causes the computer system to (Velur, Col. 21, Lines 44-46, A non-transitory computer-readable medium comprising instructions that are executable by a processing device for causing the processing device to): identify a vulnerability associated with a dependency for a computer program as the computer program is being developed (Velur, Col. 3, Lines 5-6, FIG. 4 illustrates pseudo logic that can be used to aggregate a list of vulnerable third-party libraries); [Examiner Remarks: the specification states that “Such dependencies can include software libraries that are incorporated as part of the software development process” (Paragraph 0010). Thus, one of ordinary skill in the art would readily comprehend that third-party libraries can be reasonably interpreted as the claimed “dependency”.] determine a severity of the vulnerability (Velur, Col. 4, Lines 64-65, the invention can determine (i) the severity of the vulnerability); and manage the dependency based upon the severity of the vulnerability (Velur, Col. 7, Lines 40-42, (iii) addressing the vulnerabilities in deployed applications based on the severity of the exposure). Regarding claim 3, the rejection of claim 1 is incorporated. Velur further teaches: generate an alert based upon the severity of the vulnerability (Velur, Col. 7, Lines 42-43, (iv) causing a remedial action such as a notification to address the vulnerabilities). Regarding claim 9, the rejection of claim 1 is incorporated. Velur further teaches: generate a compliance report based upon vulnerabilities identified for the computer system (Velur, Col. 8, Lines 4-8, In block 206, vulnerabilities within the libraries containing CVEs can be fixed and a report can be generated that includes information regarding each library with a CVE and/or a risk score above a threshold value). Claims 11, 13, 19 are method claims corresponding to the computer system claims hereinabove (Claims 1, 3, 9 respectively). Therefore, claims 11, 13, 19 are rejected for the same reasons set forth in the rejections of claims 1, 3, 9 respectively. •──────────────•──────────────• Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. •──────────────•──────────────• Claims 2 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Velur (U.S. Patent No. 11,481,498 B2) in view of Jackson (U.S. Patent No. 10,540,176 B2) and further in view of Kumar (U.S. Patent Application Publication No. US 2023/0161882 A1). Regarding claim 2, the rejection of claim 1 is incorporated. Velur fails to teach: block the dependency or block release of the computer program based upon the severity. However, Jackson teaches: block the dependency or block release of the computer program […] (Jackson, Col. 13, Lines 64-65, One common action in the case that a component did not pass is to block the component from being served to users). Velur and Jackson are considered to be analogous to the claimed invention because they are in the same field of assessing vulnerabilities and evaluating computer system security. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified the teachings of Velur to incorporate the teachings of Jackson to: block the dependency or block release of the computer program […]. The modification would be obvious to one of ordinary skill in the art because by taking steps at critical junctures appropriate for software development to automatically block, quarantine, limit, or notify of software components that fail pre-defined criteria, and possibly by indicating reasons for failure and/or suggesting acceptable software components, the consumption (inbound flow) and publication (outbound flow) of software components that have risks which have already been deemed unacceptable for the repository or for the application can be reduced and/or prevented, dramatically reducing risky behavior and greatly improving overall software development efficiency (Jackson, Col. 5, Lines 8-20). The combination of Velur and Jackson fails to teach: […] based upon the severity. However, Kumar teaches: […] based upon the severity (Kumar, Page 3, Paragraph 55, If a threshold number or type of vulnerabilities are detected during the time while the code build is happening, then the embodiments are able to terminate the code build before it completes). Kumar, Velur, and Jackson are considered to be analogous to the claimed invention because they are in the same field of assessing vulnerabilities and evaluating computer system security. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combined teachings of Velur and Jackson to incorporate the teachings of Kumar to have: - […] based upon the severity. The modification would be obvious to one of ordinary skill in the art because by doing so, the new rollout or update will be prevented from being pushed out to client devices, thereby ensuring that a compromised application is not released into the public. That is, because this new update was determined to be highly vulnerable, the embodiments beneficially prevent that update from being pushed out, thereby protecting client devices (and the application) from such vulnerabilities (Kumar, Page 3, Paragraph 0055). Claim 12 is a method claim corresponding to the computer system claim hereinabove (Claim 2). Therefore, claim 12 is rejected for the same reasons set forth in the rejection of claim 2. •──────────────•──────────────• Claims 4 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Velur (U.S. Patent No. 11,481,498 B2) in view of Plunk (U.S. Patent Application Publication No. US 2024/0330474 A1), and further in view of Florescu (U.S. Patent No. 10,732,962 B1). Regarding claim 4, the rejection of claim 1 is incorporated. Velur fails to teach: block downloading of the dependency, However, Plunk teaches: block downloading of the dependency (Plunk, Page 1, Paragraph 0011, For example, improvements to the security of resources in a software dependency management system can be realized by utilizing a proxy server to prevent the download or upload of vulnerable installation packages to software dependency management systems when they violate security policies). Velur and Plunk are considered be analogous to the claimed invention because both are in the same field software management. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Velur with the teachings of Plunk to: block downloading of the dependency, The modification would be obvious to one of ordinary skill in the art because doing so provides mechanisms for enforcing security policies on software dependency installation packages to prevent the installation of vulnerable dependencies in developer, CI, and/or production systems (Plunk, Page 1, Paragraph 0009). Velur teaches “the dependency,” but the combination of Velur and Plunk fails to teach: block code including the dependency during versioning; and block release of the computer program […]. However, Florescu teaches: block code including the dependency during versioning; and block release of the computer program […] (Florescu, Col. 19, Lines 60-66; Col 20, Line 1, systems and methods described herein may improve the functionality of computer systems by mitigating (e.g., preventing) the release of harmful software to a customers of a computing resource service provider, thereby causing an improvement in one or more of the following aspects: security (e.g., preventing software that includes security vulnerability from being released); performance (e.g., preventing code with memory leaks or performance issues from being released)). Velur, Plunk, and Florescu are considered be analogous to the claimed invention because both are in the same field software management. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combined teachings of Velur and Plunk with the teachings of Florescu to: block code including the dependency during versioning; and block release of the computer program including the dependency. The modification would be obvious to one of ordinary skill in the art because doing so provides mechanisms for enforcing security policies on software dependency installation packages to prevent the installation of vulnerable dependencies in developer, CI, and/or production systems (Plunk, Page 1, Paragraph 0009). Claim 14 is a method claim corresponding to the computer system claim hereinabove (Claim 4). Therefore, claim 14 is rejected for the same reasons set forth in the rejection of claim 4. •──────────────•──────────────• Claims 5, 6, 7 and 15, 16, 17 are rejected under 35 U.S.C. 103 as being unpatentable over Velur (U.S. Patent No. 11,481,498 B2) in view of Jackson (U.S. Patent No. 10,540,176 B2). Regarding claim 5, the rejection of claim 1 is incorporated. Velur teaches “the dependency” but fails to teach: wherein the dependency is managed using rules. However, Jackson teaches: […] managed using rules (Jackson, Col. 10, Lines 28-31, Such a system and method can act on a set of rules embodied in policies 223, 225A, 225B that are predefined to establish what risks are deemed acceptable and what are not, and what actions to take for risks that do not pass). Velur and Jackson are considered to be analogous to the claimed invention because both are in the same field of assessing vulnerabilities and evaluating computer system security. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Velur to incorporate the teachings of Jackson to have: wherein the dependency is managed using rules. The modification would be obvious to one of ordinary skill in the art because by taking steps at critical junctures appropriate for software development to automatically block, quarantine, limit, or notify of software components that fail pre-defined criteria, and possibly by indicating reasons for failure and/or suggesting acceptable software components, the consumption (inbound flow) and publication (outbound flow) of software components that have risks which have already been deemed unacceptable for the repository or for the application can be reduced and/or prevented, dramatically reducing risky behavior and greatly improving overall software development efficiency (Jackson, Col. 5, Lines 8-20). Regarding claim 6, the rejection of claim 5 is incorporated. Velur further teaches: wherein the dependency is managed by: create a risk score associated with all vulnerabilities for the computer program (Velur, Col. 7, Lines 66-67; Col. 8, Lines 1-10, By accumulating the total number of code calls with CVEs for each library, the criticality of the CVE, and the impact to business functionality, a risk score can be assigned to each library and/or API. A risk score can represent the potential chance of a library being susceptible to a hacking attempt or security breach. In block 206, vulnerabilities within the libraries containing CVEs can be fixed and a report can be generated that includes information regarding each library with a CVE and/or a risk score above a threshold value. Based on the risk score of each library in comparison to a threshold value, a remedial action can be performed). Velur teaches “based upon the risk score,” but fails to teach: use the rules to hold the computer program […] However, Jackson teaches: use the rules to hold the computer program […]. (Jackson, Col. 10, Lines 28-31, Such a system and method can act on a set of rules embodied in policies 223, 225A, 225B that are predefined to establish what risks are deemed acceptable and what are not, and what actions to take for risks that do not pass; Jackson, Col. 13, lines 64-65, One common action in the case that a component did not pass is to block the component from being served to users). Velur and Jackson are considered to be analogous to the claimed invention because both are in the same field of assessing vulnerabilities and evaluating computer system security. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Velur to incorporate the teachings of Jackson to have: use the rules to hold the computer program based upon the risk score. The modification would be obvious to one of ordinary skill in the art because by taking steps at critical junctures appropriate for software development to automatically block, quarantine, limit, or notify of software components that fail pre-defined criteria, and possibly by indicating reasons for failure and/or suggesting acceptable software components, the consumption (inbound flow) and publication (outbound flow) of software components that have risks which have already been deemed unacceptable for the repository or for the application can be reduced and/or prevented, dramatically reducing risky behavior and greatly improving overall software development efficiency (Jackson, Col. 5, Lines 8-20). Regarding claim 7, the rejection of claim 5 is incorporated. Velur teaches “the dependency” but fails to teach: wherein the rules are based upon the severity of the vulnerability and a context of the dependency. However, Jackson teaches: wherein the rules are based upon the severity of the vulnerability and a context […] (Jackson, Col. 5, Lines 53-64, As an example of a security vulnerability, consider that a software component might have a vulnerability rated a low level but the application blocks only vulnerabilities at a critical level. Also, a policy can include variations such as to disallow components over a certain age, or under a certain age, or to disallow all open source components. As further discussed herein below, various inventive principles and combinations thereof are advantageously employed to allow a user to establish policies that are appropriate for their system, in which a user can allow components with certain kinds of risks, and disallow others). [Examiner Remarks: the specification states that “The context can examine such aspects as how the computer program is used, where the program is used, and/or by whom the program is used” (Paragraph [0037]). Thus, one of ordinary skill in the art would readily comprehend that “components over a certain age, or under a certain age, or to disallow all open source components” can be reasonably interpreted as the claimed “context”.] Velur and Jackson are considered to be analogous to the claimed invention because both are in the same field of assessing vulnerabilities and evaluating computer system security. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Velur to incorporate the teachings of Jackson to have: wherein the rules are based upon the severity of the vulnerability and a context of the dependency. The modification would be obvious to one of ordinary skill in the art because by taking steps at critical junctures appropriate for software development to automatically block, quarantine, limit, or notify of software components that fail pre-defined criteria, and possibly by indicating reasons for failure and/or suggesting acceptable software components, the consumption (inbound flow) and publication (outbound flow) of software components that have risks which have already been deemed unacceptable for the repository or for the application can be reduced and/or prevented, dramatically reducing risky behavior and greatly improving overall software development efficiency (Jackson, Col. 5, Lines 8-20). Claims 15, 16, 17 are method claims corresponding to the computer system claims hereinabove (Claims 5, 6, 7 respectively). Therefore, claims 15, 16, 17 are rejected for the same reasons set forth in the rejections of claims 5, 6, 7 respectively. •──────────────•──────────────• Claims 8 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Velur (U.S. Patent No. 11,481,498 B2) in view of Jackson (U.S. Patent No. 10,540,176 B2) as applied to claims 5 and 15 above, and further in view of Plate (U.S. Patent Application Publication No. US 2015/0268948 A1). Regarding claim 8, the rejection of claim 5 is incorporated. The combination of Velur and Jackson fails to teach: wherein the rules are stored in a central database. However, Plate teaches: wherein the rules are stored in a central database (Plate, Page 4, Paragraph 0033, In the example of FIG. 1, the conflict resolution manager 120 may include a storage handler 128 configured to cause the at least one processor 110 to access one or more databases (e.g., one or more database 140) and store data and information related to one or more of the constraint definitions 144, the software component dependencies 145, and the algorithm 147 for analyzing the applications and resolving the software component dependencies 145). Velur, Jackson, and Plate are considered to be analogous to the claimed invention because both are in the same field of assessing vulnerabilities and evaluating computer system security. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified the combined teachings of Velur and Jackson to incorporate the teachings of Plate to have: wherein the rules are stored in a central database. The modification would be obvious to one of ordinary skill in the art because there exists a need to improve software dependencies in applications to thereby reduce the impact of buggy and vulnerable software libraries. (Plate, Page 1, Paragraph 0004). Claim 18 is a method claim corresponding to the computer system claim hereinabove (Claim 8). Therefore, claim 18 is rejected for the same reasons set forth in the rejection of claim 8. •──────────────•──────────────• Claims 10 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Velur (U.S. Patent No. 11,481,498 B2) in view of Ansell (U.S. Patent Application Publication No. US 2022/0269791 A1). Regarding claim 10, the rejection of claim 9 is incorporated. Velur fails to teach: identify trends associated with the vulnerabilities identified for the computer system. However, Ansell teaches: identify trends associated with the vulnerabilities identified for the computer system (Ansell, Page 7, Paragraph 0039, For example, machine learning algorithm 146 may operate on vulnerability information 138 that includes descriptions of potential future vulnerabilities, and/or describes trends in vulnerabilities that have been associated with security breaches, to predict that certain software programs 124 may be vulnerable to security breaches at some point in the future). Velur and Ansell are considered be analogous to the claimed invention because both are in the same field of assessing vulnerabilities and evaluating computer system security. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Velur with the teaching of Ansell to have: identify trends associated with the vulnerabilities identified for the computer system. The modification would be obvious to one of ordinary skill in the art because doing so proactively identifies potential vulnerabilities before they are taken advantage of for improper purposes (Ansell, Page 1, Paragraph 0003). Claim 20 is a method claim corresponding to the computer system claim hereinabove (Claim 10). Therefore, claim 20 is rejected for the same reasons set forth in the rejection of claim 10. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. They are as follows: Lewandowski (US 2023/0281316 A1) discloses techniques for identifying and resolving security vulnerabilities in a software application build. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MD KAMRUZZAMAN whose telephone number is (571)272-8415. The examiner can normally be reached Monday-Friday 7:30 am - 5:00 pm Alternate Fridays Off. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Wei Mui can be reached at (571) 272-3708. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /M.K./Examiner, Art Unit 2191 /WEI Y MUI/Supervisory Patent Examiner, Art Unit 2191
Read full office action

Prosecution Timeline

Mar 12, 2024
Application Filed
Mar 17, 2026
Non-Final Rejection — §101, §102, §103 (current)

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

1-2
Expected OA Rounds
Grant Probability
3y 3m
Median Time to Grant
Low
PTA Risk
Based on 0 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month